Skip to main content

Privacera Platform master publication

Configure SSL for Privacera

:
 

If required, you can enable/disable SSL for the following Privacera services. Just add the SSL property of the service you want to configure to the vars.ssl.yml file, and set it to true/false.

Note

Support Chain SSL - Preview Functionality

Previously Privacera services were only using one SSL certificate of LDAP server even if a chain of certificates was available. Now as a Preview functionality, all the certificates which are available in the chain certificate are imported it into the truststore. This is added for Privacera usersync, Ranger usersync and portal SSL certificates.

Properties to enable SSL

Service

Property

Solr

Note

If you are transitioning an existing, working non-SSL Privacera environment where all the Privacera services are running to SSL or vice-versa, then the entire update process would take around 15-30 minutes more to complete due to the additional Solr transition process.

SOLR_SSL_ENABLE:"true"

AuditServer

AUDITSERVER_SSL_ENABLE:"true"

Portal

PORTAL_SSL_ENABLE:"true"

Grafana

GRAFANA_SSL_ENABLE:"true"

Ranger

RANGER_SSL_ENABLE:"true"

DataServer service
Enable dataServer proxy SSL
Self-signed
  • DATASERVER_PROXY_SSL:"true"

Signed
  1. Copy the following keys to the location ~/privacera/privacera-manager/config/ssl:

    • Signed PEM Full Chain

    • Signed PEM Private Key

  2. Add the following properties.

    DATASERVER_SSL_SELF_SIGNED:"false"
    DATASERVER_HOST_NAME:"<PLEASE_CHANGE>"
    DATASERVER_SSL_SIGNED_PEM_FULL_CHAIN:"<PLEASE_CHANGE>"
    DATASERVER_SSL_SIGNED_PEM_PRIVATE_KEY:"<PLEASE_CHANGE>"
    DATASERVER_SSL_SIGNED_CERT_FORMAT:"<PLEASE_CHANGE>"

    (Optional) Along with the properties above, if your CA certificate is generated with a private key, then copy the Signed Root CA Public Key to the location ~/privacera/privacera-manager/config/ssl and add the following:

    DATASERVER_SSL_SIGNED_ROOT_CA_PUBLIC_KEY:"<PLEASE_CHANGE>"
Disable DataServer proxy SSL
  1. Set DATASERVER_PROXY_SSL:"false"

  2. When switching between Dataserver SSL to non-SSL or self-signed to signed, or vice-versa, then remove previously generated DataServer SSL configuration before you run the Privacera Manager update.

    This can be done by running:

    rm -rf ~/privacera/privacera-manager/config/ssl/dataserver*